There're probably many threads out there on how to encrypt your root file system. And I'm probably a n00b, but anyway, here is my mini-contribution. Make sure you backup your system first, and if you trash it (highly probable!) then don't blame me

Note: cryptsetup is now in portage. Just emerge cryptsetup instead of the above!

Creating initrd image:
Now we need to create our initrd, I'll call it myinitrd. It's a simple task once you played around a bit with it. I highly recommed playing with initrd's before you go actually and encrypt your root (last step in this mini-howto)

First create the image, I'm using a 4MB initrd but feel free ot expand that if you need more, just remember to set the option in your kernel configuration for the maximum ramdisk size properly.

Done with initrd. Test all bin files in it by chrooting and running them one by one. You should get no error messages about missing libraries:

Code:

chroot /mnt/initrd /bin/sh
/bin/chroot --help
/bin/mkdir --help
....

Unmount initrd and copy it over to /boot. Since I'm using bootsplash I've appended my bootsplash initrd to it. Note that you can still mount/unmount the image and play with it event after cat'ing bootsplash image to it. mount knows it's start and end.

Encrypting the filesystem:
Now to encrypting the file system (make sure you have backup!!!). How you encrypt it depends on you. Here I'm assuming you've enough space in hda3, and you've a linux boot CD or linux installed on a another partition, and you've booted from that:

Notes:
1. If you can't find a bootable CD with all ingredients in to encrypt your root, no problem! Just change your grub.conf line above to 'init=/bin/sh'. Now when you boot you'll get a nice little shell inside a ram disk that you can work from. Of course you'll need all necessary tools in the initrd image (e.g. mkreiserfs, fdisk, etc.).

2. If you have the default gentoo behaviour of saving '/dev' at reboot and restoring it at boot, make sure that your '/dev/mapper' directory contains a 'root' entry with major 254 minor 0 (mknod /dev/mapper/root b 254 0) just before your last reboot into the new encrypted root. Otherwise, it'll fail at boot time.

3. If you're running a modular kernel, no problem! Add a modules directory to myinitrd, say '/mod'. Copy the modules you'll need to it. Copy 'insmod' and requited libs to '/bin' and '/lib' and that's it. Just don't forget to modify 'linuxrc' to insert the modules before 'cryptsetup' line. Example, 'insmod /mods/dm-mod.ko' .. and so on.

Reboot, and cross your fingers.

Last edited by veezi on Mon Oct 25, 2004 7:05 pm; edited 4 times in total

I don't know much about encrypting swap. You may want to look around for an answer.

As for other partitions, well, if you can encrypt the root partition, then you can encrypt anything else . For the home partition, I just add the following to my '/etc/conf.d/local.start'

Code:

/usr/bin/cryptsetup create home /dev/whatever
/bin/mount /home

Of course, you'll need to have the corresponding entry in /etc/fstab:

Code:

/dev/mapper/home /home reiserfs noatime,noauto 0 0

Notice that the home partition isn't accessed by the init boot scripts. That's why it's easy to leave it to the last stage (through local.start). If you have other partitions which need to be mounted earlier, you might want to mount them inside your linuxrc script.

Notice also the 'noauto' option in /etc/fstab. You'll need to have that in there to prevent the init scripts from automatically mounting those partitions.

rajl, here's how I set it up with multiple partitions and encrypted swap. I had problems compiling cryptsetup-0.1 statically which means it needs /usr mounted, so I set up all the devices with linuxrc first then copy them to /dev after pivot_root. When i get cryptsetup compiled statically, I'll change it to set up other partitions in the initscript rather than in linuxrc.

My key is encrypted on a usb flash drive, as described by mossmann in this thread, but I can't get the usb stick booting (yet) so /boot is left unencrypted on the hard drive, which has this layout:

Here's my linuxrc, which mounts the loopback key on usb, and after checking the passphrase sets up the data partitions with that key (/dev/mapper/bootkey), and recreates swap with /dev/random. It just checks the passphrase by tring to mount root, if the passphrase is wrong then there'll be no mapped filesystem to mount.

As you can see initrd doesn't get unmounted yet, that means the devices created with cryptsetup in linuxrc can be copied from /initrd/dev/mapper/ to /dev/mapper/ proper once the main init starts.

After backing up the system, encrypting the partitions with my key from boot media and copying everything back over (I used a ramdisk with cryptsetup added), I mounted root then the other partitions and chrooted in to update fstab and grub.conf, add the initscript below to the boot runlevel, and create the /initrd partition (to mkdir it from linuxrc root has to be mounted rw).

(edited the initscript, / doesn't need mounting rw there as /dev is on a different filesystem.. doh.)

The initscript has to be run before checkroot, which is the first thing run in the boot runlevel. /sbin/rc has a list of critical services which are run first regardless of depends etc... to get the dm-crypt script running first, create the file /etc/runlevels/boot/.critical and add the following line:

Thanks for the help. Much appreciation. My gcc and xfree/xorg decided not too play nice this weekend (some stupid error involving the hardened toolchain that just won't fix) so I'll probably use this as a great excuse to encrypt my linux drive in the process._________________-Rajl

-----------------------------------------------------------
It's easy to be brave once you consider the alternatives.

Encryption of my root parition works without any problems, but /initrd doesn't get deleted.
I always get "rm: operation not permitted" error messages at startup.

Furthermore, encrypting my swap partition with /dev/random as keyfile doesn't seem to work - the call to cryptsetup takes ages to complete. Strangely, it exits after a few seconds when I hold down the Ctrl key...

What I did try to do, was copy /bin/sleep into myinitrd together with its libraries, and added "sleep 10" at various places in linuxrc file to be able to see whats happening but it didn't take effect at all, so my guess is my initrd isn't read?

Update:

I changed from grub to lilo and now it boots and asks for my passphrase (just before this, it gives: warning: can't open /etc/fstab: No such file or directory, is this okay?). After entering my passphrase, it outputs some text about reiserfs, finding partition etc.

Then however, at "Checking root filesystem" it stops:

Code:

Failed to open the device '/dev/mapper/root': No such file or directory

Thanks for the guide, i've been fighting with it for about a week now and dont know what next step to take
Also i have suggestions to the guide and it might fix other people's problems

1. When creating the initrd image i was a little confused since i never did much with loops. You should add a "cd /mnt" as the first step
2. When I first copied files to the ram drive i just pasted your commands. But off the gentoo live cd cryptsetup is located in "/bin/" instead of "/usr/bin" like you suggest
3. when you "mknod /mnt/initrd/dev/hda2 b 3 2 " you should say if you are using another partition like hda3 the major/minor numbers are 3 3 (if that's true?)
4. your grub kernel line wraps on my screen (either that or you hit enter) and when i copy/pasted I had problems
5. when encrypting the FS, you should call cryptsetup with -y to verify that you got the password right. Typing the password once when setting it can cause problems with long complex passwords, or fat fingers
6. when i compiled device mapper in the kernel and i booted off the ram disk, /proc/devices lists device-mapper as a major of 253, not sure if that matters

well anyway my problem is when i run cryptsetup i get

Code:

Command failed: Invalid argument

now i got that error at first when i boot off the gentoo live cd and try to encrypt the system, i found out that dm_crypt wasnt loaded so a quick modprobe fixed that. but i compiled everything needed in i think, and on boot up i see device mapper is loaded

I know i have this problem because i set linuxrc to "exec /bin/sh" and i manually run the commands. I get the error above when i get to cryptsetup. I can also boot off the live cd, run modprobe dm_crypt, and then decrypt the device and chroot so i know that works.

Here are the things that ARE set, i deleted the ones that weren't to save space

I'm also getting a "command failed" error message. If I pass init=/bin/sh and manually type in the command

Code:

cryptsetup -v create root /dev/hda2

I get command failed: device mapper ioctl error. Don't quote me on exactness of this error message, I don't have it in front of me, but it was an ioctl error with the letters 254 in it. So I'm thinking this has to do with the major number of the control device. So, I booted into a live cd, and created a new control device which matched the major/minor numbers of the device created by the live cd. I then chrooted into the initrd drive, and ran cryptsetup. It worked perfect. Humm...

When I reboot with this setup, it fails. So I boot into the ram drive again, and

Code:

cat /proc/devices

I'm informed that device-mapper is 253,0. Humm... So I reboot into the live cd and re-run

Code:

mknod ./control c 253 0

. this time when I boot up I get the same error message about command failed. Also if I chroot into the initrd from the live cd with this new control device 253,0 I get a command failed error as well.

So .... I know this error message is due to the wrong /dev/mapper/control device. How do I fix this?

OK. I seem to have fixed my issue. The author might want to amend his howto and include the devmap_mknod.sh script in the /bin directory of the myinitrd ram drive. Not all systems use the same major and minor device numbers for the /dev/mapper/control device. I altered the linuxrc file and added a line to run this script before unmounting the proc.

I also had issues with an error message telling me that /dev/mapper/root couldn't be mounted, and that I had to specify the type of filesystem. I just altered the mount line in the linuxrc file to include the type.

I'm still getting the can't find fstab error. I assume I should just ignore this, since my system boots up ok despite that message.

If for some reason I damaged my system horribly such that it cannot boot (e.g. by setting default runlevel to 0), I often can repair it using a boot disk such as Knoppix or the Gentoo LiveCD. However, with an encrypted root partition, how can I access it to work on it? Any idea how to make a boot disk capable of reading/writing to my encrypted partition?